Le 27 oct. 2010 à 18:38, Lee, Yiu a écrit : > There are many recorded attacks about IP fragmentation (search for Rose > Frag attack). Some firewalls are smart enough to identify whether it is a > real attack or not.
> Some simply drop any fragmentation packet. I am not > going to argue which is a better policy. My point is if we can limit the > fragmentation only happening between b4 and AFTR, this will save us a lot > of headache in future. For clarification: is this to say that not only you prefer IPv6 fragmentation to IPv4 fragmentation at tunnel entrance, but also that you prefer to document only the first alternative? Note that the Rose attack is based on "the first fragment and the last fragment of "a very large packet" (64k) [to be sent], but not the middle fragments". It therefore doesn't concern the tunnel entrance fragmentation because all created fragments are transmitted. RD _______________________________________________ Softwires mailing list [email protected] https://www.ietf.org/mailman/listinfo/softwires
